[lxc-devel] [PATCH v2 rebased against github master 9d0cda4f] refactor AppArmor into LSM backend, add SELinux support
Dwight Engen
dwight.engen at oracle.com
Thu Sep 26 13:32:16 UTC 2013
On Wed, 25 Sep 2013 17:25:13 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > Currently, a maximum of one LSM within LXC will be initialized and
> > used. If in the future stacked LSMs become a reality, we can
> > support it without changing the configuration syntax and add
> > support for more than a single LSM at a time to the lsm code.
> >
> > Generic LXC code should note that lsm_process_label_set() will take
> > effect "now" for AppArmor, and upon exec() for SELinux.
>
> Ah, that's right, lxc-attach doesn't always exec a new task, right?
> So that's where the selinux behavior may be a problem.
Right, thats what I was trying to get at with the whole "different
semantics" thing. Sorry I couldn't clearly explain that before.
lxc-attach works fine on selinux as long as you run a program, but just
doing a function will not be in the new context. I don't think there is
a way to support that in selinux.
> -serge
More information about the lxc-devel
mailing list